Fixed Invoke-Obfuscation command token error during agent negotiation process

mdns
cobbr 2017-06-19 00:28:21 -05:00
parent 4c8495144d
commit 76f1e85375
4 changed files with 64 additions and 28 deletions

View File

@ -795,10 +795,8 @@ def obfuscate(psScript, obfuscationCommand):
toObfuscateFile = open(toObfuscateFilename, 'w') toObfuscateFile = open(toObfuscateFilename, 'w')
toObfuscateFile.write(psScript) toObfuscateFile.write(psScript)
toObfuscateFile.close() toObfuscateFile.close()
# Obfuscate using Invoke-Obfuscation w/ PowerShell # Obfuscate using Invoke-Obfuscation w/ PowerShell
subprocess.call("powershell 'Invoke-Obfuscation -ScriptPath %s -Command \"%s\" -Quiet | Out-File -Encoding ASCII %s'" % (toObfuscateFilename, convert_obfuscation_command(obfuscationCommand), obfuscatedFilename), shell=True) subprocess.call("powershell 'Invoke-Obfuscation -ScriptPath %s -Command \"%s\" -Quiet | Out-File -Encoding ASCII %s'" % (toObfuscateFilename, convert_obfuscation_command(obfuscationCommand), obfuscatedFilename), shell=True)
obfuscatedFile = open(obfuscatedFilename , 'r') obfuscatedFile = open(obfuscatedFilename , 'r')
# Obfuscation writes a newline character to the end of the file, ignoring that character # Obfuscation writes a newline character to the end of the file, ignoring that character
psScript = obfuscatedFile.read()[0:-1] psScript = obfuscatedFile.read()[0:-1]
@ -820,13 +818,13 @@ def obfuscate_module(moduleSource, obfuscationCommand="", forceReobfuscation=Fal
f.close() f.close()
# obfuscate and write to obfuscated source path # obfuscate and write to obfuscated source path
obfuscatedCode = obfuscate(psScript=moduleCode, obfuscationCommand=obfuscationCommand)
obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source") obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source")
try: try:
f = open(obfuscatedSource, 'w') f = open(obfuscatedSource, 'w')
except: except:
print color("[!] Could not read obfuscated module source path at: " + obfuscatedSource) print color("[!] Could not read obfuscated module source path at: " + obfuscatedSource)
return "" return ""
obfuscatedCode = obfuscate(psScript=moduleCode, obfuscationCommand=obfuscationCommand)
f.write(obfuscatedCode) f.write(obfuscatedCode)
f.close() f.close()

View File

@ -404,7 +404,6 @@ class Listener:
if obfuscate: if obfuscate:
randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand) randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
print randomizedStager
# base64 encode the stager and return it # base64 encode the stager and return it
if encode: if encode:
return helpers.enc_powershell(randomizedStager) return helpers.enc_powershell(randomizedStager)

View File

@ -128,7 +128,7 @@ http://www.danielbohannon.com
# Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions.
$ObfuscationTypeOrder += 'Comment' $ObfuscationTypeOrder += 'Comment'
# Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings.
# $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += 'String'
$ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count)
# Apply each randomly-ordered $ObfuscationType from above step. # Apply each randomly-ordered $ObfuscationType from above step.
@ -691,11 +691,35 @@ http://www.danielbohannon.com
default {Write-Error "An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation."; Exit} default {Write-Error "An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation."; Exit}
} }
} }
# Evenly trim leading/trailing parentheses. # Evenly trim leading/trailing parentheses.
While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')'))
{ {
$ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() $TrimmedObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
# Check if the parentheses are balanced before permenantly trimming
$Balanced = $True
$Counter = 0
ForEach($char in $TrimmedObfuscatedToken.ToCharArray()) {
If($char -eq '(') {
$Counter = $Counter + 1
}
ElseIf($char -eq ')') {
If($Counter -eq 0) {
$Balanced = $False
break
}
Else {
$Counter = $Counter - 1
}
}
}
# If parantheses are balanced, we can safely trim the parentheses
If($Balanced -and $Counter -eq 0) {
$ObfuscatedToken = $TrimmedObfuscatedToken
}
# If parentheses cannot be trimmed, break out of loop
Else {
break
}
} }
} }
@ -1157,6 +1181,9 @@ http://www.danielbohannon.com
$SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString)
If(($Token.Content.ToLower() -eq 'invoke') ` If(($Token.Content.ToLower() -eq 'invoke') `
-OR ($Token.Content.ToLower() -eq 'computehash') `
-OR ($Token.Content.ToLower() -eq 'tobase64string') `
-OR ($Token.Content.ToLower() -eq 'getstring') `
-OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) `
-OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) `
-AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')')))))))

View File

@ -42,17 +42,17 @@ elif lsb_release -d | grep -q "Kali"; then
pip install zlib_wrapper pip install zlib_wrapper
pip install netifaces pip install netifaces
if ! which powershell > /dev/null; then if ! which powershell > /dev/null; then
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
wget http://ftp.debian.org/debian/pool/main/i/icu/libicu52_52.1-8+deb8u5_amd64.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i libicu52_52.1-8+deb8u5_amd64.deb wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -y libunwind8
dpkg -i libicu55_55.1-7_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
apt-get install -y apt-transport-https dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get update apt-get install -f -y
apt-get install -y powershell rm libicu55_55.1-7_amd64.deb
rm libicu52_52.1-8+deb8u5_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
fi fi
mkdir -p /usr/local/share/powershell/Modules mkdir -p /usr/local/share/powershell/Modules
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
@ -72,11 +72,17 @@ elif lsb_release -d | grep -q "Ubuntu"; then
pip install zlib_wrapper pip install zlib_wrapper
pip install netifaces pip install netifaces
if ! which powershell > /dev/null; then if ! which powershell > /dev/null; then
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
apt-get install -y apt-transport-https wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get update apt-get install -y libunwind8
apt-get install -y powershell dpkg -i libicu55_55.1-7_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -f -y
rm libicu55_55.1-7_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
fi fi
mkdir -p /usr/local/share/powershell/Modules mkdir -p /usr/local/share/powershell/Modules
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
@ -96,11 +102,17 @@ else
pip install zlib_wrapper pip install zlib_wrapper
pip install netifaces pip install netifaces
if ! which powershell > /dev/null; then if ! which powershell > /dev/null; then
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
apt-get install -y apt-transport-https wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get update apt-get install -y libunwind8
apt-get install -y powershell dpkg -i libicu55_55.1-7_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -f -y
rm libicu55_55.1-7_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
fi fi
mkdir -p /usr/local/share/powershell/Modules mkdir -p /usr/local/share/powershell/Modules
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules